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We present a quantum password checking protocol where secrecy is protected by the laws of 
quantum mechanics. The passwords are encoded in quantum systems that can be compared but 
have a dimension too small to allow reading the encoded bits. We study the protocol under different 
replay attacks and show it is robust even for poorly chosen passwords. 


The password checking problem appears when two 
sides who share some common information want to verify 
the other side also knows it. We consider two parties, Al¬ 
ice and Bob, who share an m-bit string p (the password). 
There can also be an eavesdropper, Eve, trying to either 
learn the password or to impersonate Alice or Bob. For 
simplicity, we describe the case where Alice tries to prove 
her identity to Bob. Everything is symmetric for the con¬ 
verse case. 

Imagine Alice and Bob can only communicate through 
an insecure classical channel. Alice could send her pass¬ 
word in the clear, but Eve could read it undetected and 
later pose as Alice. A widespread solution is the use of 
hash functions. A hash, or one-way, function H(x) takes 
a string x into an output string of a fixed size that ap¬ 
pears to be random. The function H{x) should be easy to 
compute, but difficult to invert. The functions are chosen 
so that finding x = H~^{H(x)) from H{x) is computa¬ 
tionally hard. If Alice sends H{p), Eve could still copy 
the string and impersonate Alice, but, at least, the pass¬ 
word is protected. If the password has some value, for 
instance, Alice uses it in other places, this is a small im¬ 
provement. A greater advantage comes if Alice and Bob 
use hash chains. Alice can send a string H^{p) which 
results from applying the hash function 2 times, first to 
p and then to resulting hash of the previous steps. Bob 
can keep a record of the zs used in previous identifica¬ 
tion rounds and keep asking for smaller values of z. Eve 
can capture H^{p), but she is not able to produce 
ioT y < z. This is a solution in classical networks p|, 
but it is still vulnerable to dictionary attacks in which 
Eve compiles a list of the most common passwords and 
pre-computes their hashes and the hashes of their hashes 
up to a certain depth. If she captures a passing string 
iJ^(p), she can look it up in her table and find out the 
original password 0- 

There are password checking protocols, like SPEKE 
[ 3 , 0 |, which are based on Zero Knowledge Proofs [ 1 ] 
and avoid dictionary attacks from eavesdroppers (but 
not for a dishonest side @). Similary, the SSH proto¬ 
col favours the use of public key cryptography coupled 
with challenge-response authentication. These systems 
are based on the computational difficulty of problems 
like factoring or the discrete logarithm, which, while ro¬ 


bust against present technology, are not guaranteed to be 
hard problems and could, indeed, be broken with quan¬ 
tum computers Q. 

In this paper, we propose an alternative password 
checking protocol where security is derived from the laws 
of quantum mechanics. The protocol can resist replay 
attacks and is robust against dictionary attacks, even for 
poorly chosen passwords. 

Previous quantum solutions to this problem either use 
entangled states or are built on top of the quantum 

key distribution protocol BB84 [IM3- Our protocol is 
instead based on quantum fingerprinting 17j . It encodes 
data in a quantum system too small to allow full recov¬ 
ery but which allows state comparison. However, our en¬ 
coding focuses on security rather than in communication 
savings. In that respect, it is more similar to quantum 
public-key cryptography systems 18-^. 

We only need three primitives, quantum state prepara¬ 
tion, random number generation and quantum state com¬ 
parison. Quantum state comparison is performed with 
the SWAP test used in quantum fingerprinting. The test 
can detect different states. If we have two input states 
with density matrices p and cr, the test fails and the states 
are proved to be different with probability _ if tf^e 


states pass the test, with probability they can 

still be different. If we have many copies of the states, we 
can determine whether they are equal or different with 
high probability if they are different enough (tr(p(T) is 
not very close to 1). 

In our protocol, we apply the SWAP test on pass¬ 
words that are encoded in symmetric states of di¬ 
mension D = 2‘^. We define symmetric states |$j) with 
j = 0,..., Af — I so that 
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We take states which encode both the password and 
a random bit string in a symmetric state = 

l^^f(plki)) index j equal to the integer whose 

binary representation is the output of the hash func¬ 
tion H with an input that is the concatenation of the 
binary strings representing the password p and the ran¬ 
dom string ri. We work with a hash function H (x) with n 
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bits of output so that there are N = 2'^ possible password 
states that represent the M = 2™ possible passwords in 
a compressed state space. 

A useful property of this encoding is that the mixed 
state that comes from choosing at random with the same 
probability any symmetric state pj = is the 

maximally mixed state as 


1 

N 

1 

D 


N-l ^ ^ N-1D-1 D-1 

E i 1 X > X > X > 27 rj(Z —m) 

= 7v n E E E 


j=0 


j=0 1=0 m=0 


ElE(e^^noH = ^E 


N 

l,m j 


\l) (m| = 
10 = 


( 2 ) 


■ 2TTj(l-m) 

using that the geometric sum of the e® n terms is 
only different from 0 if / = m, when it is N. 

With all these elements we can give the password 
checking protocol. We describe the case where Alice 
proves her identity to Bob and both share a password p 
of m bits that is hashed to produce n bits. 


• Repeat up to s times: 


1. Alice and Bob generate jointly a random string ri 
of m bits. 

2. Alice prepares a state |'0p‘) in n quantum system 
of a dimension D = 2‘^ with d n and gives it to 
Bob. 

3. Bob performs a quantum state comparison between 
the received state and a locally generated |V’p‘)- 

- If the states are found to be different, Bob 
aborts the protocol. 

- If the states pass the test, we repeat steps I 
to 3 with new random strings until we have 
s positive comparisons. 


For simplicity we choose random strings of m bits, but 
any bit number sufficiently larger than n can be used. 
Alice and Bob can each generate random strings if they 
input orthogonal states into the SWAP test. They have 
probability 1/2 of passing the test, which could be identi¬ 
fied with a 1 bit, and probability 1/2 of failing (the bit is 
0). The joint random string can be produced by the XOR 
of Alice’s and Bob’s strings if they can guarantee the bits 
are simultaneously produced. For our purposes, they can 
also produce taking one bit from Alice and one from 
Bob. As long as one of the sides is honest, the hash func¬ 
tion will introduce enough randomization even if only 
half the bits of are random. For a higher security, 
Alice and Bob can use the classical protocol of Damgard 
and Luneman, which offers unconditional security for one 
side and computational security, even against quantum 
computers, for the other side 2^. Alternatively, they 


can use the unconditionally secure relativistic coin flip¬ 
ping protocol of Kent 2^ or strings whose randomness 
is certified by Bell’s theorem (^ . 

The basic concept of the protocol can be explained 
with a simple analogy. We can picture the quantum state 
as a piece of paper with a limited size. If we try to write 
too many words, at some point we need to sacrifice leg¬ 
ibility. The greater the number of words, the more diffi¬ 
cult it becomes to make sense of what is written. How¬ 
ever, it is still possible to compare two sheets of paper. A 
quick glance suffices to tell, with good accuracy, whether 
the contents are equal or not. If the contents are almost 
equal, there will be a good chance of giving a false posi¬ 
tive, but completely different texts, say a page full of the 
letter “a” and one only with numbers, can be told apart 
with high confidence. 

In this protocol, the password is protected by the lim¬ 
itations of the quantum encoding. We have encoded too 
many bits, n, into a too small state space. From the 
Holevo bound we know we cannot reliably recover more 
than d bits from a D = 2'’*-dimensional quantum state 


27j| . From Nayak’s bound we also know that for d << n. 


we also have a small probability of recovering only some 
of those bits [2^. We use a stronger result from Ben- 
Aroya, Regev and de Wolf [2^ which limits fc-out-of-n 
encodings that allow to recover k bits from the total n 
bits of a string. If ^ < 2 ^ ~ 0.72, the probability of 
recovering k bits is exponentially small in k. For a small 
enough the probability tends to 2~^, which is as likely 
as guessing the bits by chance. 

If we choose sd <C n, Eve would not learn anything 
from the password, even if she captured all the states in 
a full protocol exchange. Usually, Alice and Bob must 
both identify to the other side. In those cases, instead 
of first performing the s stages of Alice authenticating to 
Bob and the s stages of Bob convincing Alice, they should 
take turns for each stage. If Eve is on any of the sides, 
she would be detected early, before she can capture many 
states. The number of generated states before changing 
the password must be established so that the maximum 
captured states c still satisfies cd n. 

The fc-out-of-n bound also limits the amount of global 
information an attacker can learn from the password 
state. The useful information about any k bits of H{p\\ri) 
must be, at most, exponentially small in k. Otherwise, 
Alice and Bob could devise a code that groups the states 
with the different values of a global property, such as the 
parity of all the bits or the AND function of a group of 
them, and use the attack as a way to send one bit of in¬ 
formation with a probability better than the limit close 
to 0.5 given by the bound. 

If we have M possible combinations of parameters, the 
average probability of passing the SWAP test is related 
to the average fidelity F of all the fidelities Fk = ti{ptpk) 
between the trial state pt of an attacker who does not 
know p and the legitimate pure state pk which depends 
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on the considered parameters. We have, 


p _ J_ 1 + ffc _ 1 + ig _ 1 + F 

~ M ^ 2 ~ 2 “2 

k=0 


In the rest of the paper we show an attacker who doesn’t 
know anything about p can only produce states with an 
average fidelity F = ^. If D is high enough, the proba¬ 
bility of passing the s stages of the protocol and fooling 
Bob into accepting a false Alice is 
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space of Pp^ ® Pane and then presenting Bob with a sub¬ 
system of the resulting state, represented by the partial 
trace tr^ (^ . Eve wants to maximize her fidelity 

.. M-lM-lM-l 

E (7) 

p—0 ri—0 r 2—0 

for any combination of p, ri and r 2 . 

We use a result by Fiurasek to bound this fidelity [Hj. 
For input states \ipin{x)) chosen from a set of parameters 
X, the best approximation to outputs \'<pout{x)) is given 
by the average fidelity 


which can be made arbitrarily small. 

There are two main attacks we must avoid. The first 
is a random state attack. We can consider Eve in¬ 
tends to fool Bob with a trial state pt that is constant 
for all attempts. She will try to maximize her probabil¬ 
ity of passing the test for all the possible passwords. The 
average fidelity for this trial state is 


M-l / M-l \ 

^ = M E ^ M E (5) 

p=Q \ p=0 / 

for the constant, known of each stage. When we con¬ 
sider all the possible fixed ri, the value of an ideal hash 
function F[{j)\\ri) is evenly distributed through all the 
integers from 0 to iV — 1 with the different values of p. 
When the number of the hash output bits n is sufficiently 
smaller than the number of the password bits m, the 
sum gives a uniform average on all the possible symmet¬ 
ric states and the result is close to the completely mixed 
state of Equation (I2|) . The average fidelity can then be 
approximated by 

r = tr(^p,l')=ltr(p,) = l ( 6 ) 

if Pt is pure, or smaller for mixed trial states. Essentially, 
p randomizes the state. The attacker sees a maximally 
mixed state and cannot do better than random guessing. 

There is a second important family of attacks. Eve can 
try a replay attack in which she captures and stores 
previous legitimate interchanges between Alice and Bob 
and uses the captured states to impersonate Alice. The 
random strings prevent Eve from directly using her 
stored states, but she can try to modify them to fool 
Bob. 

The simplest case is one in which Eve captures a state 
Pp^ and wants to produce a state as close to the next 
state in the protocol p^^ as possible. Eve can perform 
any allowed operation on the captured state. The most 
general transformation allowed by quantum mechanics is 
a completely positive map £{pp ^) = tr_E(f7 {Pp^ ® Panc)U^) 
which combines the effects of adding an ancillary system 
Panc^ performing a unitary operation U in the larger state 


P = J {'fpout{x)\£{\'llJin{x)) {tj}in{x)\)\lljout{x)) dx, (8) 

which can be optimized using Lagrange multipliers. For 
our discrete version of the average fidelity shown in Equa¬ 
tion 0, we need to look at operator 

. M-l M-l M-l 

S'lipE E (9) 
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For any fixed p, the sum in ri and r 2 has outputs F[ (p| |ri) 
and H{p\\r 2 ) in all the values of 0 to iV — 1 and Equation 
0 is a good approximation to the final state so that 
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Fidelity F is bounded by the dimension of the input 
Hilbert space dim'H and the largest eigenvalue Rmax of 
R (3l|. In our case, has eigenvalues and 


F < diTaRRmax = D— = 
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We can extend the results to the case where Eve captures 
up to c states Pp ^, Pp^, ■ ■ ■, Pp” and wants to approximate 
the next state in the sequence Now 


F = 

and 
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We can proceed in a way similar to the single captured 
state scenario and show 


R = 


I 
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and 

F<dim?^®^i?™a, = = (15) 
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There are two caveats. First, the bound breaks down af¬ 
ter a number of captured states. We assume Eve doesn’t 
know a single bit of p. If she did, the average of Equation 
m is not the quantity to maximize and the proof is no 
longer valid. The bound holds as long as cd <C n so that 
Eve cannot guess the bits from p. We already keep this 
bound in order to protect the password. 

There might be insecure particular cases, but, for 
random r^s, they must be rare on average. After s 
stages, the probability of fooling the system still tends 
to 2“'’-1-2“'’-^. Bob can also keep a list of all the previ¬ 
ously used TiS to avoid repetition or weak special cases. 

These bounds show the protocol is resistant to eaves¬ 
droppers that try to learn the password or perform a 
replay attack. The protocol offers and additional layer of 
security beyond that of systems based on computational 
complexity. Security is based on physical limitations. 
The protocol protects against adversaries with a quan¬ 
tum computer and is independent of technological as¬ 
sumptions. A hash H{x) which is difficult to invert with 
present technology could be broken with better compil¬ 
ers. This has happened with algorithms like MD5 |32l| . 
Similarly, the systems that use public key cryptography 
are usually optimized for speed and could be broken with 
better computers. In our protocol, if we choose a small 
enough dimension Z), the password is unreadable even 
for future technologies. 

Using quantum systems also gives additional protec¬ 
tion from dictionary attacks. If we choose a bad pass¬ 
word b from a reduced set of possible passwords of size B 
so that D B <2™, Eve still cannot look up the cap¬ 
tured states in a pre-computed table. If she could find 
the password, she would have an encoding that allowed 
to squeeze more than d bits into a H-dimensional state. 

A bad password choice would not reduce the security 
of the system as long as B is sufficiently larger than N. 
If we suspect passwords are chosen from a smaller set, 
like a small dictionary of English words, our proofs are 
no longer valid and there could exist advanced imperson¬ 
ation attacks. If passwords are chosen freely, it could be 
safer to send a hash q = H'{b) that takes the passwords 
into a string with a smaller size n' which is small enough 
to make bad passwords produce randomly distributed q 
strings and, at the same time, is large enough to make 
cd n'. This reduces the number of password reuses, 
but preserves the properties of the original scheme. 

The protocol has been given in a general form with 
three simple primitives that do not require a full quantum 
computer. A practical realization of the protocol can be 
deployed on top of existing systems as an additional mea¬ 
sure of security. There is a relatively simple implemen¬ 
tation with optical primitives where state preparation is 
feasible and the SWAP test can be performed with the 
Hong-Ou-Mandel effect 33|, l3^. A detailed implementa¬ 
tion will be presented elsewhere. 
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